How to write the correct SPF TXT record for a forwarding domain

Question

I have a forwarding domain (forwardingdomain.org > actual-website.org) for which I have email forwarders set up. To reduce spamming/spoofing of my email forwarders, I would like to set up a correct SPF TXT record in the domain’s DNS.

I have an SPF TXT record set up in the DNS, however, recently I’ve received scam/ransomware/spam emails that appear to be coming from email forwarders of the forwarding domain. So, that SPF record may not be working. I’ve successfully set up SPF TXT record for domains that have a website associated with them (i.e., I can use a server IP in the SPF record). For this domain, however, since it’s forwarding, it’s not clear what IP I should use.

Here’s the current SPF record (I don’t remember adding this myself; it may have gotten generated by itself):

Type: TXT
Host: @
Value: v=spf1 a mx include:sendgrid.net ~all

Expected result: No more scam/spam/ransomware emails should be coming in that appear as if they were sent from my email forwarders.

Actual result: Scam/spam/ransomware emails are coming in, appearing to be sent from my email forwarders.

Answer 1

Firstly I would recommend adding an include mechanism to pull in IPs from your forwarding domain.

Next, you have a ~all default mechanism, which means that forged messages will not be rejected, just marked as non-compliant (softfail). This is the correct setting if you are still testing your configuration or you are using DMARC.

With DMARC, the softfail can be turned into a full rejection, and this is generally considered better than using -all because it retains DMARC’s other semantics.